| Article Index |
|
Rootkits
|
|
Page 2
|
Page 1 of 2 Rootkits can be named the most technically sophisticated form of malicious code (malware) and one of the most difficult to discover and eliminate. Of all types of malware, probably viruses and worms get the most publicity because generally they are wide-spread and many people know to have been affected by a virus or a worm, but this definitely does not mean that viruses and worms are the most destructive malware variety. There are more dangerous types of malware, because as a rule they operate in stealth mode, are difficult to detect and remove and can go unnoticed for very long periods of time, silently stealing data and modifying the files on the victim's machine.
An example of such a stealth enemy are rootkits - a collection of tools that replace or change executable programs or the kernel of the operating system itself to gain administrator-level access to the system, which can be used for installing spyware, keyloggers and other malicious tools. Essentially, a rootkit allows an attacker to gain complete access over the victim's machine (and possibly to the whole network the machine belongs to). One of the known uses of a rootkit to cause considerable damage was the theft of the source code of Half Life-2. Rootkits are not something new – they have been known for decades and are known to have effected various operating systems Windows, UNIX, Linux, Solaris, etc.) - but if it was not for one or two mass occurrences of rootkits (See the Famous Examples section), which draw public attention to them, they might have again escaped from being known, except to a small circle of security professionals. As of today, rootkits have not unleashed their bad potential and are not as wide-spread as viruses but this can be of little comfort. Rootkits Mechanism Exposed Similar to Trojan horses, viruses and worms, rootkits install themselves exploiting flaws in the network security and the operating system itself and often no action on user side is necessary, although there are rootkits that come as an e-mail attachment or are bundled with a legitimate software program and are harmless until the user opens the attachment or installs the program. But unlike less sophisticated forms of malware, rootkits infiltrate the operating system very deep and make special efforts to disguise their presence - for instance by modifying system files. Basically, there are two types of rootkits: kernel and application level. Kernel level rootkits add code to or modify the kernel of the operating system. This is achieved by installing a device driver or a loadable module, which alters system calls to hide the presence of an attacker. Thus if you look in log files, you will see no suspicious activity on the system. Application level rootkits are less sophisticated and generally are easier to detect because they modify the executables of applications, rather than the operating system itself. Since Windows 2000 every change in an executable file is reported to the user, thus making it more difficult for the attacker to go unnoticed. Why Rootkits Pose a RiskRootkits can act as a backdoor and usually they are not alone in their mission - they are often accompanied by spyware, trojan horses or viruses and the aims of a rootkit can vary from simple malicious joy of penetrating somebody else's computer (and hiding the traces of foreign presence), to building a whole system for illegally obtaining confidential data (credit card numbers, or the source code s in the case of Half Life-2). Generally, application level rootkits are less dangerous and easier to detect. But if the program you are using to keep track of your finances, gets "patched" by a rootkit, then the monetary loss could be significant - i.e. an attacker can use your credit card data to purchase a couple of items and if you don't notice suspicious activity on your credit card balance in due time, it is most likely that you will never see the money again. Compared to kernel level rootkits, application level rootkits look sweet and harmless. Why? Because in theory a kernel level rootkit opens all doors to a system, after which installing other malware, for instance for theft of financial data, is pretty easy. Having a kernel level rootkit and not being able to detect and remove it easily (or at all, as we will see next) means that somebody else is having total control over your computer and can use it in any way he or she pleases - for instance to initiate an attack to other machines, making the impression that the attack originates from your computer, not from somewhere else. |
